CVE List - 2024 / December
Showing 2601 - 2700 of 3433 CVEs for December 2024 (Page 27 of 35)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-11774 | 2024-12-20 | Outdooractive Embed <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12506 | 2024-12-20 | NACC WordPress Plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11878 | 2024-12-20 | Category Post Slider <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-7726 | 2024-12-20 | Arbitrary Code execution via exposed JTAG port in Kioxia CM6, PM6, PM7 |
| CVE-2024-12014 | 2024-12-20 | Path Traversal vulnerability in eSignaViewer Allow Unauthorized File Access |
| CVE-2024-51466 | 2024-12-20 | IBM Cognos Analytics expression language injection |
| CVE-2024-40695 | 2024-12-20 | IBM Cognos Analytics file upload |
| CVE-2024-28767 | 2024-12-20 | IBM Security Directory Integrator command execution |
| CVE-2024-56348 | 2024-12-20 | In JetBrains TeamCity before 2024.12 improper access control allowed viewing details of unauthorized agents |
| CVE-2024-56349 | 2024-12-20 | In JetBrains TeamCity before 2024.12 improper access control allowed unauthorized users to modify build logs |
| CVE-2024-56350 | 2024-12-20 | In JetBrains TeamCity before 2024.12 build credentials allowed unauthorized viewing of projects |
| CVE-2024-56351 | 2024-12-20 | In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles |
| CVE-2024-56352 | 2024-12-20 | In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page |
| CVE-2024-56353 | 2024-12-20 | In JetBrains TeamCity before 2024.12 backup file exposed user credentials and session cookies |
| CVE-2024-56354 | 2024-12-20 | In JetBrains TeamCity before 2024.12 password field value were accessible to users with view settings permission |
| CVE-2024-56355 | 2024-12-20 | In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS |
| CVE-2024-56356 | 2024-12-20 | In JetBrains TeamCity before 2024.12 insecure XMLParser configuration could lead to potential XXE attack |
| CVE-2024-56337 | 2024-12-20 | Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete |
| CVE-2024-10385 | 2024-12-20 | Stored XSS in DirectAdmin Evo Skin |
| CVE-2024-12677 | 2024-12-20 | Delta Electronics DTM Soft Deserialization of Untrusted Data |
| CVE-2024-12841 | 2024-12-20 | Emlog Pro tag.php cross site scripting |
| CVE-2024-12867 | 2024-12-20 | Server-Side Request Forgery in Arctic Hub URL Mapper allows an unauthenticated remote attacker to exfiltrate and modify configurations and data |
| CVE-2024-56331 | 2024-12-20 | Local File Inclusion (LFI) via Improper URL Handling in uptime-kuma's `Real-Browser` monitor |
| CVE-2024-56333 | 2024-12-20 | Remote code execution in onyxia-api |
| CVE-2024-56329 | 2024-12-20 | Account Takeover Vulnerability in Social Account Linking in joelbutcher/socialstream |
| CVE-2024-12842 | 2024-12-20 | Emlog Pro user.php cross site scripting |
| CVE-2024-56330 | 2024-12-20 | Session VNC may be accessed by other sessions on the same host in stardust |
| CVE-2024-56334 | 2024-12-20 | Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation |
| CVE-2024-56335 | 2024-12-20 | Privilege escalation allows organization groups to be updated/deleted if their UUID is known in vaultwarden |
| CVE-2024-40875 | 2024-12-20 | Cross-site scripting vulnerability in the Secure Access administrative console prior to 13.52 |
| CVE-2024-56357 | 2024-12-20 | Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core |
| CVE-2024-56358 | 2024-12-20 | Cross-site Scripting vulnerability through svg attachment previews in grist-core |
| CVE-2024-56359 | 2024-12-20 | Cross-site Scripting vulnerability through HyperLink cells in grist-core |
| CVE-2024-12843 | 2024-12-20 | Emlog Pro plugin.php cross site scripting |
| CVE-2024-12844 | 2024-12-20 | Emlog Pro store.php cross site scripting |
| CVE-2024-12845 | 2024-12-20 | Emlog Pro common.php cross site scripting |
| CVE-2020-13712 | 2024-12-20 | MGOS Command Injection |
| CVE-2024-11811 | 2024-12-20 | Feedify – Web Push Notifications <= 2.4.2 - Reflected Cross-Site Scripting |
| CVE-2023-31279 | 2024-12-20 | Improper Authentication |
| CVE-2023-31280 | 2024-12-20 | Exposure of Sensitive Information to an Unauthorized Actor |
| CVE-2024-11349 | 2024-12-21 | AdForest <= 5.1.6 - Authentication Bypass |
| CVE-2024-12846 | 2024-12-21 | Emlog Pro link.php cross site scripting |
| CVE-2024-11977 | 2024-12-21 | kk Star Ratings – Rate Post & Collect User Feedbacks <= 5.4.10 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2024-11607 | 2024-12-21 | GTPayment Donations <= 1.0.0 - Stored XSS via CSRF |
| CVE-2024-11287 | 2024-12-21 | Ebook Store <= 5.8001 - Reflected Cross-Site Scripting |
| CVE-2024-12066 | 2024-12-21 | SMSA Shipping(official) <= 2.2 - Authenticated (Subscriber+) Arbitrary File Deletion |
| CVE-2024-12771 | 2024-12-21 | eCommerce Product Catalog Plugin for WordPress <= 3.3.43 - Cross-Site Request Forgery to Password Reset |
| CVE-2024-12721 | 2024-12-21 | Custom Product Tabs For WooCommerce <= 1.2.4 - Authenticated (Shop Manager+) PHP Object Injection |
| CVE-2024-11938 | 2024-12-21 | One Click Upsell Funnel for WooCommerce <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via wps_wocuf_pro_yes Shortcode |
| CVE-2024-12635 | 2024-12-21 | WP Docs <= 2.2.0 - Authenticated (Subscriber+) Time-Based SQL Injection via 'dir_id' |
| CVE-2024-12262 | 2024-12-21 | Ebook Store <= 5.8001 - Reflected Cross-Site Scripting via 'step' |
| CVE-2024-12697 | 2024-12-21 | real.Kit <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11196 | 2024-12-21 | Multi-column Tag Map <= 17.0.33 - Authenticated (Contributor+) Stored Cross-Site Scripting via mctagmap Shortcode |
| CVE-2024-11682 | 2024-12-21 | G Web Pro Store Locator <= 2.1 - Reflected Cross-Site Scripting |
| CVE-2024-11975 | 2024-12-21 | Reactflow Visitor Recording and Heatmaps <= 1.0.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting |
| CVE-2024-9545 | 2024-12-21 | Shortcodes and extra features for Phlox theme <= 2.16.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes |
| CVE-2024-12588 | 2024-12-21 | Shortcodes and extra features for Phlox theme <= 2.16.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget |
| CVE-2024-11808 | 2024-12-21 | Pingmeter Uptime Monitoring <= 1.0.3 - Reflected Cross-Site Scripting |
| CVE-2024-10797 | 2024-12-21 | Full Screen Menu for Elementor <= 1.0.7 - Authenticated (Contributor+) Post Disclosure |
| CVE-2024-12558 | 2024-12-21 | WP BASE Booking of Appointments, Services and Events <= 4.9.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via app_export_db |
| CVE-2024-12408 | 2024-12-21 | WP on AWS <= 5.2.1 - Reflected Cross-Site Scripting |
| CVE-2024-11722 | 2024-12-21 | Frontend Admin by DynamiApps <= 3.25.1 - Unauthenticated SQL Injection |
| CVE-2024-11688 | 2024-12-21 | LaTeX2HTML <= 2.5.5 - Reflected Cross-Site Scripting |
| CVE-2024-10453 | 2024-12-21 | Elementor Website Builder – More than Just a Page Builder <= 3.25.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typography Settings |
| CVE-2024-12591 | 2024-12-21 | MagicPost <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wb_share_social Shortcode |
| CVE-2024-12875 | 2024-12-21 | Easy Digital Downloads <= 3.3.2 - Authenticated (Admin+) Arbitrary File Download |
| CVE-2024-12883 | 2024-12-21 | code-projects Job Recruitment _email.php cross site scripting |
| CVE-2024-51464 | 2024-12-21 | IBM i authentication bypass |
| CVE-2024-51463 | 2024-12-21 | IBM i server-side request forgery |
| CVE-2024-12884 | 2024-12-21 | Codezips E-Commerce Website login.php sql injection |
| CVE-2024-56375 | 2024-12-22 | An integer underflow was discovered in Fort 1.6.3 and 1.6.4 before 1.6.5. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a... |
| CVE-2024-56310 | 2024-12-22 | REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into... |
| CVE-2024-56311 | 2024-12-22 | REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring... |
| CVE-2024-56312 | 2024-12-22 | A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard.... |
| CVE-2024-56313 | 2024-12-22 | A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When... |
| CVE-2024-56314 | 2024-12-22 | A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a... |
| CVE-2024-56378 | 2024-12-22 | libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc. |
| CVE-2024-11852 | 2024-12-22 | Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.10.12 - Missing Authorization |
| CVE-2024-12890 | 2024-12-22 | code-projects Online Exam Mastering System update.php sql injection |
| CVE-2024-12891 | 2024-12-22 | code-projects Online Exam Mastering System account.php sql injection |
| CVE-2024-12892 | 2024-12-22 | code-projects Online Exam Mastering System sign.php cross site scripting |
| CVE-2024-12893 | 2024-12-22 | Portabilis i-Educar Tipo de Usuário Page 2 cross site scripting |
| CVE-2024-12894 | 2024-12-22 | TreasureHuntGame TreasureHunt acesso.php sql injection |
| CVE-2024-12895 | 2024-12-22 | TreasureHuntGame TreasureHunt checkflag.php console_log sql injection |
| CVE-2024-12896 | 2024-12-22 | Intelbras VIP S4320 G2 Web Interface webCapsConfig information disclosure |
| CVE-2024-12897 | 2024-12-22 | Intelbras VIP S4320 G2 Web Interface Sha1Account1 path traversal |
| CVE-2024-40896 | 2024-12-23 | In libxml2 2.11 before 2.11.9, 2.12 before 2.12.9, and 2.13 before 2.13.3, the SAX parser can produce events for external entities even if custom SAX handlers try to override entity... |
| CVE-2024-12898 | 2024-12-23 | 1000 Projects Attendance Tracking Management System faculty_action.php sql injection |
| CVE-2024-45721 | 2024-12-23 | home 5G HR02, Wi-Fi STATION SH-52B, and Wi-Fi STATION SH-54C contain an OS command injection vulnerability in the HOST name configuration screen. An arbitrary OS command may be executed with... |
| CVE-2024-46873 | 2024-12-23 | Multiple SHARP routers leave the hidden debug function enabled. An arbitrary OS command may be executed with the root privilege by a remote unauthenticated attacker. |
| CVE-2024-47864 | 2024-12-23 | home 5G HR02, Wi-Fi STATION SH-52B, and Wi-Fi STATION SH-54C contain a buffer overflow vulnerability in the hidden debug function. A remote unauthenticated attacker may get the web console of... |
| CVE-2024-52321 | 2024-12-23 | Multiple SHARP routers contain an improper authentication vulnerability in the configuration backup function. The product's backup files containing sensitive information may be retrieved by a remote unauthenticated attacker. |
| CVE-2024-54082 | 2024-12-23 | home 5G HR02 and Wi-Fi STATION SH-54C contain an OS command injection vulnerability in the configuration restore function. An arbitrary OS command may be executed with the root privilege by... |
| CVE-2024-12899 | 2024-12-23 | 1000 Projects Attendance Tracking Management System course_action.php sql injection |
| CVE-2024-12900 | 2024-12-23 | FoxCMS Configuration File installdb.php code injection |
| CVE-2024-12901 | 2024-12-23 | FoxCMS API Endpoint Site.php improper authorization |
| CVE-2024-11230 | 2024-12-23 | Elementor Header & Footer Builder <= 1.6.46 - Authenticated (Contributor+) Stored Cross-Site Scripting via Page Title Widget |
| CVE-2024-12902 | 2024-12-23 | Global Wisdom Software ANCHOR - Undocumented Privileged Account |
| CVE-2024-12903 | 2024-12-23 | Incorrect default permissions in Biamp Evoko Home |
| CVE-2024-55539 | 2024-12-23 | Weak algorithm used to sign RPM package. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux) before build 39185, Acronis Cyber Protect 16 (Linux) before build 39938. |